Abstract: Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the obtained tags and the one or more criteria.

Abstract: Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the obtained tags and the one or more criteria.

Abstract: Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the obtained tags and the one or more criteria.

Abstract: Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g.

Abstract: A method for performing network access filtering and/or categorization through guest introspection on a device data compute node (DCN) that executes on a host is provided. The method, through a guest introspector installed on the DCN, intercepts a data message that the DCN is preparing to send. The method identifies a category of the network resource. The method uses the category of the network resource to examine a set of network access policies that are stored on the host in order to determine whether the network access should be allowed. The method identifies a network access policy that requires the rejection of the network access when the access to the network resource causes an aggregate bandwidth for accessing the identified category of network resource to exceed a bandwidth threshold. The method rejects the network access based on the identified network access policy.

Abstract: Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the obtained tags and the one or more criteria.

Abstract: Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the Obtained tags and the one or more criteria.

Abstract: Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the Obtained tags and the one or more criteria.

Abstract: Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the obtained tags and the one or more criteria.

Abstract: Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g.

Abstract: Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g.

Abstract: Some embodiments of the invention provide a method for performing network access filtering and/or categorization through guest introspection (GI) on a device. In some embodiments, this GI method intercepts directly on a device a data message that device is preparing to send, and uses a service appliance to determine whether the data message can be sent. The device in some embodiments is a guest virtual machine (VM) that executes on a multi-VM host computing device along with a service VM (SVM) that is the service appliance that determines whether the data message can be sent based on a set of filtering rules. In some embodiments, the method uses one or more introspectors (e.g., network introspector and/or file introspector) to capture introspection data from the guest VM (GVM) about the data message that the GVM is preparing to send. To perform the network access filtering, the GI method in some embodiments captures contextual information, such as user and application information (e.g.

Abstract: For a host that executes one or more guest virtual machines (GVMs), some embodiments provide a novel encryption method for encrypting the data messages sent by the GVMs. The method initially receives a data message to send for a GVM executing on the host. The method then determines whether it should encrypt the data message based on a set of one or more encryption rules. When the process determines that it should encrypt the received data message, it encrypts the data message and forwards the encrypted data message to its destination; otherwise, the method just forwards the received data message unencrypted to its destination. In some embodiments, the host encrypts differently the data messages for different GVMs that execute on the host.

Abstract: Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the obtained tags and the one or more criteria.

Abstract: A repercussionless ephemeral agent for scalable parallel operation of distributed computers provides efficient processing on the distributed computers via a bootstrapped agent and on-demand downloading of software components. Central computers having access to script, bootstrap, and library software code as well as a database, activate remote execution of the script on the distributed computers to control the distributed computers. The distributed computers are optionally controlled to perform an analysis according to the script in a distributed fashion with a high degree of parallelism. The analysis optionally examines all or portions of files implemented on or accessible to the distributed computers without the necessity of transferring the files from the distributed computers to the central machines.

Abstract: A client computer and/or a user is authenticated via installation of an agent, permitting access to previously inaccessible resources. All users are initially denied access to a resource via a permission list, such as a by being a member of a group that is denied access. The user, once authenticated, is permitted to access the resource, e.g. by being temporarily removed from a cached copy of the group, by being temporarily added to a cached copy of a group allowed to access the resource, or both. Authentication is revoked when the agent is uninstalled. Subsequent accesses to the resource are not permitted, e.g. by undoing the temporary removal or addition. An optional resource firewall proxy server between client computers and a resource filters requests for the resource, and until a user is authenticated via an out-of-band communication from an agent, the user is denied access to the resource.

Abstract: An enterprise coordinator coupled to one or more site coordinators provides configuration and scheduling of tasks across a plurality of sites, and accumulates results. Each of the site coordinators optionally manages one or more respective agents to perform agent-local ones of the tasks, and optionally manages one or more respective grid workers to perform, in a distributed fashion, site-local ones of the tasks. Each of the site coordinators optionally apportions a state file into respective work lists that are assigned to the respective grid workers, and concatenates at least some portions of received results to produce a new state file. Each of the grid workers performs operations in accordance with the assigned work list and returns results including an updated version of the work list. In some usage scenarios, a bootstrapping technique is used to install an agent program on unprovisioned ones of the agents and/or the grid workers.

Abstract: Monitored content is classified to determine partial matches with fragments of documents. A set of redundant keys, or sliding sectional fingerprints, are computed for every possible alignment of the documents with respect to the monitored content. The keys are stored in repositories according to the classification of the corresponding documents. Sectional fingerprints are computed for the monitored content, and the repositories are searched. If a match is found in a repository corresponding to public content, then the monitored data section is classified as public. If a match is found only in a repository corresponding to private content, then the data section is classified as private. Otherwise, the data section is classified as unknown. In a related aspect, a set of policies are searched for a first match in part according to the classifications of the monitored data sections, and a designated action taken if the first match is found.

Abstract: Monitored content is analyzed to determine full and partial matches to previously classified content. Monitored content matching previously classified public content is classified as public, even if the monitored content is also found to match previously classified private content. In other words, public classification “overrides” potentially private classification. Monitored content matching only previously classified private content is classified as private. All remaining otherwise unclassified monitored content is classified as unknown. Monitored content is analyzed with respect to a session. If any content in a session is private, then the session is classified as private. If all content in a session is public, then the session is classified as public. Otherwise, the session is classified as unknown. In a related aspect, a set of policies are searched for a first match in part according to the classification, and a designated action taken if the first match is found.

Abstract: In one embodiment, documents accessible via a designated public account are classified as public. In another embodiment, documents accessible according to a designated public access control list are classified as public. In some embodiments, all documents not classified as public are classified as private. Content in the public documents is linguistically analyzed, resulting in a set of keys for use in subsequent full and partial content matching. The keys and associated file names are stored in a public-content identification repository. Similarly, content in the private documents is linguistically analyzed, and the results are stored in a private-content identification repository. Subsequently, full and partial content matching is performed on monitored content according to information in the public and private repositories.